Scientific Linux Fermi 6.9 i386/x86_64 May 1, 2017 --------------------------------------------------------------------------- Please send bug reports (not questions) to linux-users@listserv.fnal.gov Also read the Upstream Vendor release notes . They are located at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Release_Notes/ https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Technical_Notes/ Also read the SL.releasenote for changes between SL and TUV(The Upstream Vendor). They are located in sl-release-notes/ ITEMS marked with "*" indicate items changed since 6.8 . ---------------------------------------------------------------------------- This is based on the rebuilding of RPMS out of SRPMS's that form Scientific Linux. Please read this entire document before installing. Table of contents INSTALLATION INFO ADDED compared to Scientific Linux 6.9 UPDATED compared to Scientific Linux 6.9 REMOVED compared to Scientific Linux 6.9 Installer modifications /contrib /docs /notsupported MISC Notes HARDWARE SPECIFIC ISSUES SOFTWARE ISSUES/BUGS SUPPORT INFO vendor ERRATA Each has a "---" line above and below it. _____________________________________________________________________________ INSTALLATION INFO NOTE replace "slf6.9" with slf6rolling for ALPHA and BETA releases _____________________________________________________________________________ Installation Locations Via NETWORK: NOTE the http choice is done automatically for network install image nfs: linux.fnal.gov:/export/linux/fermi/slf6.9/i386/os/ linux.fnal.gov:/export/linux/fermi/slf6.9/x86_64/os/ ftp: linux.fnal.gov/linux/fermi/slf6.9/i386/os/ linux.fnal.gov/linux/fermi/slf6.9/x86_64/os/ http: linux1.fnal.gov/linux/fermi/slf6.9/i386/os/ linux1.fnal.gov/linux/fermi/slf6.9/x86_64/os/ VIA ISO DVD iso image: ftp://linux1.fnal.gov/linux/fermi/slf6.9/i386/iso/ ftp://linux1.fnal.gov/linux/fermi/slf6.9/x86_64/iso/ SLF-69-<ARCH>-2017-05-01-DVD1.iso SLF-69-<ARCH>-2017-05-01-DVD2.iso SLF-69-<ARCH>-2017-05-01-DVD-DL.iso network install via boot.iso ftp://linux1.fnal.gov/linux/fermi/slf6.9/i386/iso/ ftp://linux1.fnal.gov/linux/fermi/slf6.9/x86_64/iso/ SLF-69-<ARCH>-2017-05-01-boot.iso And our easy to remember location ftp://linux.fnal.gov/downloads/slf6.9/ When installing SLF 6.x as a Xen Paravirtualized Guest the installation location is http://linux1.fnal.gov/linux/fermi/slf6x/<arch>/os/ ----------------------------------------------------------------------------- ADDED compared to Scientific Linux 6.9 i386/x86_64 ----------------------------------------------------------------------------- *slf-release-6.9-1 Provide /etc/yum.repos.d/slf.repo . This repo includes entries for slf , slf-updates and slf-source. The repos slf and slf-updates are enabled by default. slf-bookmarks-6-1.slf6 Customized for SLF *slf-release-notes Places Fermi.releasenote in html format in /usr/share/doc/slf-release-notes-6.9/ alpine In release *cigetcert * cigetcert gets an X.509 certificate from a SAML 2.0 Service Provider * (SP) such as CILogon using the Enhanced Client and Proxy (ECP) * profile. Optionally it can also get a grid proxy certificate and/or * transfer the proxy to MyProxy. * It was developed for the Fermilab Distributed Computing Access * with Federated Identities (DCAFI) project. Clam Anti Virus Clam Anti-Virus. Obtained from the EPEL repository and rebuilt from src.rpm. http://www.clamav.net clamav-0.99.1-1.el6.i686.rpm clamav-db-0.99.1-1.el6.i686.rpm clamav-devel-0.99.1-1.el6.i686.rpm clamav-milter-0.99.1-1.el6.i686.rpm clamav-unofficial-sigs-3.7.1-7.el6.noarch.rpm clamd-0.99.1-1.el6.i686.rpm clamsmtp-1.10-6.el6 drbd These packages have been removed from SLF since they are available in elrepo and atrpms with a preference to elrepo. drbd83-utils-8.3.16-1.el6.i686.rpm kmod-drbd83-8.3.16-2.el6.i686.rpm flpr Installed by default. This does NOT require ups/upd. The flpr binary will reside in /usr/local/bin/ flpr heartbeat These packages have been removed from SLF since they are available in EPEL. heartbeat-3.0.4-1.el6 heartbeat-devel-3.0.4-1.el6 heartbeat-libs-3.0.4-1.el6 libnet-1.1.5-1.el6 libnet-devel-1.1.5-1.el6 openafs-thiscell-FNAL Defines FNAL.GOV for openafs. pidgin-sipe purple-sipe A pidgin plugin for Microsoft Chat protocols Fermi Kerberos These rpms provide Fermi kerberos tools, configs, and expected behavior for SLF systems. krb5-fermi-addons-1.5-1.slf6 krb5-fermi-base-2.2-2 krb5-fermi-config-5.2-1 krb5-fermi-krb5.conf-5.2-1 krb5-fermi-getcert-2.1-1.slf6 Note that krb5-fermi-krb5.conf is not needed at FNAL, the krb5-fermi-config-4.4-1 package does the same thing. This package is intended for non SLF installs. revtex tetex-natbib-8.31a-1.sl6.1.noarch.rpm tetex-revtex-4.1-1.sl6.1.noarch.rpm Added to simplify creating articles for publication SLIP Scientific Linux Inventory Project client Added detection for matlab Added support for proxy connections ocsinventory-fermi formerly ocsinventory-client ocsinventory-fermi-0.9.9-26.noarch.rpm upsupdbootstrap Not installed by default. There are only 2 rpms now. upsupdbootstrap has been incorporated into each of the rpms below . Only can select 1. The x86_64 install has a "requires" for the 32bit glibc as all of ups/upd is 32bit. This the 32bit glibc is installed during the install. As always these rpms have NO functionality to OVERWRITE or UPGRADE a existing UPS/UPD install. Use UPS/UPD to upgrade UPS/UPD. A default x86_64 bit install does not install any 32 bit libraries These upsupdbootstrap* rpms have a dependency on glibc.i686 and compat-libtermcap to accomadate the library dependencies of all the ups/upd bootstrap installed packages. If other ups/upd packages are installed later then these need to be checked to make sure all 32 libraries are installed too. Use "ldd" to help with this determination. upsupdbootstrap-fnal-6.0-2 conflicts with upsupdbootstrap-local Installs ups/upd to /fnal/ups upsupdbootstrap-local-6.0-2 conflicts with upsupdbootstrap-fnal Installs ups/upd to /local/ups yum-conf-slf6x-1-2.slf6 Will keep you at 6x which is the current stable 6x release. So when we release the next release yum will automatically yum install it except for the kernel. yum-conf-fermi-internal Adds the fermi-internal yum repository yum-conf-fermi-internal yum-conf-fermi-other-6-6 Provides slf-fastbugs, fermi-testing and slf-debuginfo and slf-security-prerelease via /etc/yum.repos.d/slf-other.repo All of these repo's are disabled by default. Added slf-security-prerelease yum-autoupdate-2-6.7.slf yum-autoupdate has the nightly yum cron job in it. The nightly cron job has been modified to check the addons directory. zz_alpine_user_domain replaces zz_pine_user_domain By default when a user sends mail from alpine their email address is myname@mycomputer.fnal.gov. This rpm changes it so that the default is myname@fnal.gov by modifying the /etc/pine.conf config file. zz_apache_no_browsable_directory Disables the default apache indexes. By default directories will not be browsable. zz_apache_use_clogger This package will reconfigure the default /etc/httpd/conf/httpd.conf to use clogger in addition to the traditional /var/log/httpd/ logging. zz_auto_update_kernel Remove the exclude of the kernel from the nightly autoyum thus allowing the kernel to be upgraded via the nightly yum. Note that this does not check if you have custom kernel modules or a custom kernel installed. You have to ensure that this will work in your environment. You will have to reboot after the kernel is upgraded. The rpm does NOT reboot the system. Watch root email for notification of all nightly auto yum updates. zz_dhcp_resolv Removed compared to SL 5.x as not needed anymore. zz_disable_avahi This will turn off and disable the avahi daemons Now installed by default in both the "Fermi Desktop" and "Fermi Server" install choices. zz_enable_firewall_fnal-2.0-0 Not installed by default. Available if needed. Enables and populates /etc/sysconfig/iptables to allow incoming network connections for fnal.gov only except for a small list of approved ports. Installed by default if "Fermi Generic Desktop" or "Fermi Generic Server" are selected. Changed "off site" open ports to be only sshd. zz_fermi_ssh_config Provides fermi kerberized /etc/ssh/ssh_config file. Installed by default. Triggered on installation of openssh-clients . The order of entries in the config file was also incorrect previously but /etc/ssh/ssh_config should be fixed after installing this package. Tickets were not forwarding for unqualified hosts prior to this update. zz_fermi_sshd_config-5.3-3.3 Provides fermi kerberized /etc/ssh/sshd_config file. Installed by default. Triggered on installation of openssh-server. zz_gdm_doe_banner Provides the Fermi DOE Banner on all GDM login windows. This should be installed on all on-site systems using GDM per DOE policy. This is now installed by default on systems loading GDM zz_gdm_no_user_list Prevents GDM from displaying a list of valid users. This sets the same behavior as the default on previous versions of SLF. This is now installed by default on systems loading GDM zz_lang_collate-1.0-7 Changes LANG so that sorting is done the same as 6.1 and earlier. (ABCabc instead of AaBbCc). Can speed up programs that sort. zz_local_dns_cache Updated to release that does not include 8.8.8.8 . This rpm will change your machine to use a local dns cache before looking for the standard dns servers. Note, this rpm will install BIND, configure it, and start it. Note, the BIND process is called 'named' This rpm makes the following assumptions: - If this is a fresh install of the rpm, named will be started and /etc/resolv.conf will be _replaced_ with the only nameserver being '127.0.0.1' - If this rpm is updated, it will ensure 'nameserver 127.0.0.1' is in /etc/resolv.conf - When removed, not upgraded, 131.225.0.254 and 8.8.8.8 are set instead unless there is another nameserver already listed. - Behavior specific to referenced packages will be executed whenever those packages are installed, updated, or removed. They consist of: bind NetworkManager dhclient dnsmasq nscd - On a bind update, bind will be restarted if it is running and chkconfig named is on - On a bind update the 'stub' zones (the RFC1912 zones) will be reset. - On a bind update, 'nameserver 127.0.0.1' will be added to /etc/resolv.conf if not already listed and bind is running and chkconfig named is on. - On a bind update, if nscd is running and chkconfig nscd is on, nscd will be restarted. - On a NetworkManager installation or when zz_local_dns_cache is installed for the first time, '127.0.0.1' will be configured as the only DNS server for all interfaces whose configuration matches /etc/sysconfig/network-scripts/ifcfg-* that are not 'ifcfg-lo' When removed, and not upgraded, nameservers are set to 131.225.0.254 and 8.8.8.8 are set instead - On a dhclient installation or when when zz_local_dns_cache is installed for the first time, '127.0.0.1' is added the the dhcp provided DNS server list. When removed, not upgraded, this setting is removed. - On a dnsmasq installation or when when zz_local_dns_cache is installed for the first time, dnsmasq is disabled. - On a dnsmasq installation or when when zz_local_dns_cache is installed for the first time, dnsmasq is configured to query 127.0.0.1 if started with the defaul configuration file. This feature was requested by people using libvirt/kvm. - On a nscd installation or update, if nscd is running and also chkconfig nscd is on, then nscd will be restarted. If zz_local_dns_cache is removed an if nscd is running and also chkconfig nscd is on, then nscd will be restarted. Now correctly preserves config values when updating certain configs zz_logwatch_df Not needed anymore. zz_ntp_configure-4.2.6-5.slf Configure ntp for Fermi site network. Installed by default for "Desktop" and "Server" installs. Startup script now pokes hole in the firewall for itself One can manually change the script by editing the file /etc/sysconfig/ntpd.fermi Set default timeservers to 131.225.8.127 131.225.17.127 zz_screenlock_kde Enables screen lock with "blanking" screen saver so power saving monitors will go into sleep mode. Ensures that the Timeout value is 10 minutes or less. Installed by default with KDE . Note that KDE is not the default desktop. zz_sendmail_accept zz_postfix_accept Replaces SL_sendmail_accept . Enabled postfix or sendmail to receive email for non localhost network addresses. zz_sendmail_fermi_gateway zz_postfix_fermi_gateway The zz_postfix_fermi_gateway rpm was fixed to change the RELAY parameter to be smtp.fnal.gov. zz_sendmail_fermi_gateway modified to be smtp.fnal.gov zz_sendmail_fermi_gateway fixed to restore old status correctly zz_tcp_wrappers_change Disable all offsite access to common network services. Also puts in the "DOE required login banners". If it determines that you have already modified /etc/hosts.allow or host.deny it leaves them alone. Installed by default for "Desktop" and "Server" installs. zz_use_clogger Adds /etc/rsyslog.d/000-use-clogger.conf to log to clogger.fnal.gov Installed by default for "Desktop" and "Server" installs. --------------------------------------------------------------------------- UPDATED compared to Scientific Linux 6 i386/x86_64 ---------------------------------------------------------------------------- pam_krb5 pam_krb5 has NOT been updated to support cryptocards. There is NO support for cryptocards in this release. redhat-logos Includes graphics from SL This version of redhat-logo's has all of the generic changes that were made with Scientific Linux as well as changes to make it look like SLF. Now provides sl-logos and slf-logos yum-conf-adobe x86_64 support was added Added this metapackage which will install the 32 or 64 bit repo depending on your system. yum-conf-atrpms yum-conf-elrepo yum-conf-epel yum-conf-rpmforge yum-conf-rpmfusion Installs the repo files for these external repos. The repos remain disabled and a few packages have been masked to prevent their installation as they conflict with ones we provide. Additionally yum-plugin-protectbase is installed to further prevent installing these packages over SLF provided packages. The documentation for yum-plugin-protectbase provides further instructions on changing this behavior. End users are responsible to verify that they comply with all Licenses . ----------------------------------------------------------------------------- REMOVED compared to Scientific Linux 6 i386/x86_64 ----------------------------------------------------------------------------- revisor-mock sl-release sl-release-notes sl-bookmarks ---------------------------------------------------------------------------- Installer modifications -- compared to SL 6 --------------------------------------------------------------------------- Anaconda (installer) Changes to "defaults" in the installer. The timezone default is still America/Chicago but the method of change has changed . The new method changes the default for all "lang=en_US.UTF-8" installs . Note that "lang=en_US.UTF-8" is the default. Can change with either kickstart or the install GUI . Fixed the issue where slf6.x could not be installed as kvm guest. America/Chicago is default timezone. Default was New York. Kerberos is enabled by default . Default network boot.iso install is via http to the onsite installation servers . Disk Partitioning layout default is "custom". The ipv4 vs ipv6 default was changed to ipv4. ipv6 can still be selected if needed. We changed the default choice for "tasks" to be "Fermi Generic Desktop" and "Fermi Generic Server" . The boot.iso image installs the security errata by default. The DVD iso images have the option to select that security errata are installed by default. Compatibility NSS/NSPR libraries These are installed by default on systems selecting GUI desktops. These were added to simplify use of the onsite VPN --------------------------------------------------------------------------- KNOWN LIMITATIONS/BUGS --------------------------------------------------------------------------- "text" install only installs "core". There is no X . This is a VERY VERY VERY limited install. If there is not "enough" memory the kdump "first boot" screen will pop up a "error box". This "error" looks "bad" but it is just informational. During a network install there is a "screen" that displays the "installation" repositories. There is no need to disable any of these. Please DO NOT disable any of these repos. Note that updates are only between the same major version. So in this case that is SLF 6 to SLF 6. This is the same as TUV. There are NO UPGRADES from SLF 4 or 5 to SLF 6 , not even yum upgrades !!!! Don't try it it doesn't work. If you enter a "hostname" during the install and you have selected "dhcp" the "hostname" will be what is returned by the "hostname" command but this will NOT set DHCP_HOSTNAME to this "hostname" as happened on SLF 5. To enable dhcp hostname edit /etc/sysconfig/network-scripts/ifcfg-<name>. Add DHCP_HOSTNAME=<dhcp host>. --------------------------------------------------------------------------- MISC NOTES --------------------------------------------------------------------------- --------------------------------------------------------------------------- SUPPORT INFO --------------------------------------------------------------------------- Scientific Linux Fermi web pages http://fermilinux.fnal.gov/ Fermi Linux Community support mailing list linux-users@fnal.gov Which is archived at http://listserv.fnal.gov/archives/linux-users.html Scientific Linux web page http://www.scientificlinux.org ------------------------------------------------------------------------------ SECURITY ERRATA RELEASED AFTER SLF6.x was released ------------------------------------------------------------------------------ Security errata will not be placed in the default install tree as has been done with prior releases of Scientific Linux Fermi. They will only reside in the updates/security/ directory. The boot.iso "network install iso" will install all available security errata during the install unless you disable the security repo during the install. The DVD images do NOT install security errata during the install by default because the network is not available. If you enable the "Scientific Linux Fermi Security" repo on the "repo" screen then security errata will be installed assuming the network is available. You will have to do a "yum -y update" after the installation via DVD to install all the security errata if you did not enable the network and the "Scientific Linux Fermi Security" repo during the install.